Snyk is a developer-first security tool that performs vulnerability scanning for dependencies in various programming languages and platforms. It integrates with the development workflow to detect, prioritize, and fix vulnerabilities in open-source dependencies and containers. Snyk also provides license compliance and security policy enforcement features.
Vulnerability Scanning
Scans the project's dependencies for known vulnerabilities. This command is run in the terminal within the project's directory.
snyk testMonitoring Project
Takes a snapshot of the current state of the project's dependencies and monitors them for newly disclosed vulnerabilities over time. This command is also run in the terminal within the project's directory.
snyk monitorFixing Vulnerabilities
Guides the user through the process of fixing detected vulnerabilities interactively. This command is executed in the terminal and may offer upgrade or patch options for the issues found.
snyk wizardContainer Vulnerability Management
Scans container images for vulnerabilities. Replace <image_name> with the name of the container image you want to test.
snyk container test <image_name>Infrastructure as Code (IaC) Analysis
Analyzes Infrastructure as Code files to find security issues and misconfigurations. This command is used in the terminal where the IaC files are located.
snyk iac testBuilt into the npm CLI, npm-audit provides a similar vulnerability scanning feature for npm packages. It automatically reviews the project's dependencies for known security issues but is limited to the npm ecosystem and does not offer the same breadth of language and platform support as Snyk.
Note: Snyk is currently only available for private beta testing. Email us if you want to join the beta.
Snyk helps you find and fix known vulnerabilities in your Node.js dependencies, both ad hoc and as part of your CI (Build) system.
To get up and running quickly, run these commands to install, authenticate and perform a quick test. Note that while we authenticate using GitHub, we do not require access to your repositories (only your email):
# If you're using node 0.10, first install npm 2 to support scoped modules, like so:
# npm install -g npm@2
npm install -g snyk
snyk auth
snyk test ionic@1.6.5
You can now see an example of several known vulnerabilities found on an older version of ionic, as well as guidance on how to understand and address them. In the next sections we'll explain how to run the same test on your own projects.
To test your own project for known vulnerabilities, browse to your project's folder and run snyk test, like so (swapping the folder with your project's folder):
cd ~/projects/myproj/
snyk test
snyk test will take stock of all the local dependencies and their installed versions, and report them to Snyk. The Snyk servers will check if there are known vulnerabilities on these dependencies, and if so report about them and and suggest any remediation you can take. Since snyk test looks at the locally installed modules, it needs to run after npm install, and will seamlessly work with shrinkwrap, npm enterprise or any other custom installation logic you have.
snyk test can also get a folder name as an argument, which is especially handy if you want to test multiple projects. For instance, the following command tests all the projects under a certain folder for known vulnerabilities:
cd ~/projects/
find . -type d -maxdepth 1 | xargs -t -I{} snyk test {}
Lastly, you can also use snyk test to scrutinize a public package before installing it, to see if it has known vulnerabilities or not. Using the package name will test the latest version of that package, and you can also provide a specific version or range using snyk test module[@semver-range].
snyk test lodash
snyk test ionic@1.6.5
If you ran snyk locally and found vulnerabilities, you should proceed to use snyk protect to address them.
Snyk's protect helps you address the known vulnerabilities snyk test found.
To get started, run protect in interactive mode:
snyk protect -i
Protect's interactive mode will run test again, and ask you what to do for each found issue. Here are the possible remediation steps for each vulnerability:
Upgrade - if upgrading a direct dependency can fix the current vulnerability, snyk protect can automatically modify your Package.json file to use the newer version. Note that you'll still need to run npm update afterwards to get the new packages.Ignore - If you believe this vulnerability does not apply to you, or if the dependent module in question never runs on a production system, you can choose to ignore the vulnerability. By default, we will ignore the vulnerability for 30 days, to avoid easily hiding a true issue. If you want to ignore it permanently, you can manually edit the generated .snyk file.Patch - Sometimes there is no direct upgrade that can address the vulnerability, or there is one but you cannot upgrade due to functional reasons (e.g. it's a major breaking change). For such cases, snyk protect lets you patch the issue with a patch applied locally to the relevant dependency files. We manually create and maintain these patches, and may not have one for every issue. If you cannot upgrade, patch is often a better option than doing nothing Note: patch is not yet enabled in the private beta, it will be soon. In the meantime, patch will be replaced with a short ignore.Once completed, snyk protect -i will create a local .snyk file that guides non-interactive executions of snyk protect. Note that snyk protect will never unilaterally decide to ignore or patch a vulnerability - it will simply follow the guidance captured in the .snyk file.
To continuously test against and protect from known vulnerabilities, integrate Snyk into your continuous integration (a.k.a. build) system. Here are the steps required to to so:
snyk to your project's dependencies (npm install -S snyk), and commit the change in.snyk file you generated was added to your source control (git add .snyk);npm install steps in your CI, run snyk protect to apply any necessary patchessnyk test to identify on any known vulnerabilities not already ignored or patched. If such vulnerabilities were found, snyk test will return a non-zero value to fail the test.A few potential alternatives to consider:
snyk test to your Package.json test scripts, to capture them in local npm test runs.snyk test as a post-install step in your Package.json file, to immediately spot any newly added module which has known vulnerabilitiessnyk protect as a post-install step in your Package.json file, to apply patches even while working locallyNote: During private beta, all snyk actions require authentication. This means modifying your Package.json will require your entire team to first run snyk auth. If you don't want that, hold off on modifying your Package.json file for now.
With test and protect, you're well setup to address currently known vulnerabilities. However, new vulnerabilities are constantly disclosed - which is where monitor comes in.
Just before you deploy, run snyk monitor in your project directory. This will post a snapshot of your full dependency tree to Snyk's servers, where they will be stored. Those dependencies will be tracked for newly disclosed vulnerabilities, and we will alert you if a new vulnerability related to those dependencies is disclosed.
# example uses
cd ~/projects/myproject/
snyk monitor
# a snyk.io monitor response URL is returned
During the private beta, you will need to authenticate with snyk before being able to use any of it's features. Once public, test and protect will be available without the need to auth.
Authentication requires you to have a GitHub account, but does not require access to your repositories - we simply use Github to spare you managing another set of credentials. Run snyk auth and follow the on screen instructions.
If you are authenticating on a remote machine, for instance on a build server, you can use your API key from https://snyk.io and authenticate directly on the command line using snyk auth <key>. Browse to the Snyk app to find out your own API key.
For easy reference, here is a list of the examples previously mentioned.
Get Started
npm install -g snyk
snyk auth
snyk test ionic@1.6.5
Test a single local project
cd ~/projects/myproj/
snyk test
Test all projects under a parent folder
cd ~/projects/
find . -type d -maxdepth 1 | xargs -t -I{} snyk test {}
Test a public package
snyk test lodash
snyk test ionic@1.6.5
Interactive snyk protect to address found issues
snyk protect -i
Store a snapshot of current dependencies to monitor for new ones
# example uses
cd ~/projects/myproject/
snyk monitor
# a snyk.io monitor response URL is returned
While we use multiple sources to determine vulnerabilities, the primary (current) source is the Node Security project.
FAQs
snyk library and cli utility
The npm package snyk receives a total of 177,929 weekly downloads. As such, snyk popularity was classified as popular.
We found that snyk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.